Tag: policies

A recent review of accounts on various systems has found that after employees passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO)

A chief information officer (CIO) is concerned about PII contained in the organization’s various data warehouse platforms. Since not all of the PII transferred to the organization is required for proper operation of the data warehouse application, the CIO requests the in needed PII data be parsed and securely discarded. Which of the following controls would be MOST appropriate in this scenario?

Explanation:
PKI uses a centralized trust model. In a simple PKI a single centralized certification authority (CA). In a hierarchical trust model the root CA is the center of the model, with subordinate
CAs lower in the hierarchy.
Note: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.

Incorrect Answers:
A: Some of the trust in a PKI trust model are transitive, but the trust model itself is centralized not transitive.
B: Open Source refers to software and is not a concept that is within a PKI.
Open source software is software whose source code is available for modification or enhancement by anyone.
C: PKI is not use a decentralized trust model.
Web of trust, an alternative to PKI, use a decentralized trust model.

A recent review of accounts on various systems has found that after employees’ passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO).

Explanation:
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow
a user from changing his password to any of his previous 5 passwords.
B: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password
history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is
the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the
same password for at least 30 days.

Incorrect Answers:
A: Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. This will not prevent users from changing their passwords multiple
times to cycle back to their original passwords. Therefore, this answer is incorrect.
C: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. It will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.
D: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. Account lockout settings will
not prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.
F: Password expiration determines how long a password can be used for before it must be changed. Password expiration will force users to change their passwords but it will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.

ABC company has a lot of contractors working for them. The provisioning team does not always get notified that a contractor has left the company. Which of the following policies would prevent contractors from having access to systems in the event a contractor has left?

Explanation:
Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to
expire at a specific time and on a specific day.

Incorrect Answers:
A: An account review would conclude if users have been suitably completing their work tasks or whether there have been failed and/or successful attempts at violating company
policies or the law. It would not prevent contractors from having access to systems in the event a contractor has left.
C: Account lockout automatically disables an account due to repeated failed log on attempts. It would not prevent contractors from having access to systems in the event a contractor
has left.
D: The question states: “The provisioning team does not always get notified that a contractor has left the company”. Therefore, disabling an account needs to happen automatically.
The account expiration policy meets the requirements.

Explanation:
Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card number, or patient record. Thus a PII handling policy can be used to protect data.

Incorrect Answers:
B: Password policy is usually implemented to control access to resources.
C: Chain of custody refers to a basic forensic procedure that is taken into account after an event occurred.
D: When a hole is found in a web browser or other software and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to-two-day response time
that many software providers need to put out a patch once the hole has been found), it is known as a zero-day exploit.